> On 20 Jul 2014, at 17:35, Rohit Yadav <rohit.ya...@shapeblue.com> wrote: > > Hi, > > I'm assuming no one objects the proposal and the spec, I'll move forward > with the first implementation starting next week but will be mostly > offline till 28th July. >
+1 from me , most definitely. Your email was clear, thanks for putting up the design doc on the wiki. I agree with a first step to implement an SP. -sebastien > Regards. > > Rohit Yadav wrote: >> Hi guys, >> >> There has been a lot of interest [4] around auth related problems in >> CloudStach such as -- SSO/SLO (single sign on / log out), 2-factor >> authentication, role based network/IP/CIDR checking etc. >> >> A lot of challenge in implementing them in CloudStack is because of two >> divergent authentication mechanisms (one that is >> username/password/cookie based, other which is api/secret keys or >> hmac/signature based). >> >> This thread tries to kickstart a project in that direction which will in >> short term try to implement a SAML2 plugin and in long term have a much >> better authentication framework. >> >> Let me start by briefly explaining what SAML2 [1] is -- it's an XML >> based authentication and authorization protocol widely used to implement >> single sign on service. Having a SAML plugin in ACS will give users and >> organization a new mode of authentication who already have such an >> infrastructure in place. >> >> A SAML based SSO infrastructure consists of three entities - user-agent >> (UA), service provider (SP) and identity provider (IdP). The UA is the >> user/browser, the SP is the application that the UA is accessing (i.e. >> Apache CloudStack UI) and the IdP is the identity service and does >> authentication and authorization, management of users among other >> things. IdP could be backed by LDAP, AD etc. For the scope of this >> feature, we only need to implement SAML SP plugin in CloudStack and use >> any free SAML 2.0 compliant IdP server [5] for testing. >> >> For this I researched and explored ways of implementing that and have a >> first draft which needs to be discussed and iterated in the ACS dev >> community. >> >> After comparing many opensource SAML 2.0 implementations, their >> security and stability, we'll use OpenSAML [2] which is the most stable >> and widely used Java implementation. Since within CloudStack, we've been >> using Spring (for DI etc.) I explored and found Spring security SAML >> extension [3] which fits perfectly and it too uses OpenSAML. >> >> I also have a working proof-of-concept general implementation using the >> above based on which I've put together a design document draft on this >> feature for your review: >> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SAML+2.0+Plugin >> >> There are some complex stories/cases around security and user management >> in CloudStack, some of which are listed under 'open ended questions' in >> the draft above most of which I'm not sure how to address. >> >> After first round of discussion, I'll go ahead with a basic >> implementation of this feature. The second phase will address broader >> use cases. >> >> Comments, questions, suggestions? >> >> References: >> >> [1] http://en.wikipedia.org/wiki/SAML_2.0 >> [2] https://wiki.shibboleth.net/confluence/display/OpenSAML/Home >> [3] http://projects.spring.io/spring-security-saml >> [4] John Burwell's talk on SSO in CloudStack: >> https://www.youtube.com/watch?v=kCR0TzrfCOM >> [5] https://idp.ssocircle.com/sso/UI/Login >> >> Regards, >> Rohit Yadav >> Software Architect, ShapeBlue >> M. +91 88 262 30892 | rohit.ya...@shapeblue.com >> Blog: bhaisaab.org | Twitter: @_bhaisaab >> >> >> Find out more about ShapeBlue and our range of CloudStack related services >> >> IaaS Cloud Design & >> Build<http://shapeblue.com/iaas-cloud-design-and-build//> >> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >> CloudStack Infrastructure >> Support<http://shapeblue.com/cloudstack-infrastructure-support/> >> CloudStack Bootcamp Training >> Courses<http://shapeblue.com/cloudstack-training/> >> >> This email and any attachments to it may be confidential and are >> intended solely for the use of the individual to whom it is addressed. >> Any views or opinions expressed are solely those of the author and do >> not necessarily represent those of Shape Blue Ltd or related companies. >> If you are not the intended recipient of this email, you must neither >> take any action based upon its contents, nor copy or show it to anyone. >> Please contact the sender if you believe you have received this email in >> error. Shape Blue Ltd is a company incorporated in England & Wales. >> ShapeBlue Services India LLP is a company incorporated in India and is >> operated under license from Shape Blue Ltd. Shape Blue Brasil >> Consultoria Ltda is a company incorporated in Brasil and is operated >> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company >> registered by The Republic of South Africa and is traded under license >> from Shape Blue Ltd. ShapeBlue is a registered trademark. > > -- > Rohit Yadav > Software Architect, ShapeBlue > M. +41 779015219 | rohit.ya...@shapeblue.com > Blog: bhaisaab.org | Twitter: @_bhaisaab > > > Find out more about ShapeBlue and our range of CloudStack related services > > IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//> > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > CloudStack Infrastructure > Support<http://shapeblue.com/cloudstack-infrastructure-support/> > CloudStack Bootcamp Training > Courses<http://shapeblue.com/cloudstack-training/> > > This email and any attachments to it may be confidential and are intended > solely for the use of the individual to whom it is addressed. Any views or > opinions expressed are solely those of the author and do not necessarily > represent those of Shape Blue Ltd or related companies. If you are not the > intended recipient of this email, you must neither take any action based upon > its contents, nor copy or show it to anyone. Please contact the sender if you > believe you have received this email in error. Shape Blue Ltd is a company > incorporated in England & Wales. ShapeBlue Services India LLP is a company > incorporated in India and is operated under license from Shape Blue Ltd. > Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is > operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company > registered by The Republic of South Africa and is traded under license from > Shape Blue Ltd. ShapeBlue is a registered trademark.